VPN L2TP/IPSEC RouterOS 6.11

Hi everyone!

I’m having some trouble to setup a VPN L2TP in one of my current Mikrotiks because of it’s version (6.11) for sure! The plan is to replace that RB1100AHx2 for a RB1100AHx4 Dude Edition, but right now it’s impossible to do that migration.

I’ve been looking for a tutorial, guide, post or anything like that in all the blessed internet, but nothing it’s based on the 6.11 version, so, everything refers to options that I don’t have and for them, works just perfect.

I’ll post some captures of the actual configuration and wait for you to tell me what’s wrong. Do have in mind that for some easy thing, I’ve changed some options to see if it works, but till now, couldn’t make it happend.

I also have the udp input chain in the firewall set up.

Well, hope you have any idea to give me a hand.

Have all a nice weekend!

See ya…

Any ideas? Somebody?

I wasn’t aware that there was a version 6.11…why haven’t you upgrade it to at least LTS (6.47.9 at this moment)?
For anyone else who wants to know…6.11 was released in March 2014 (and has been cracked a lot).

What does /interface l2tp-server export show (not interested in your password)?
[Update]
My settings in l2tp-server are:

/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=l2tp-profile enabled=yes \
    ipsec-secret=******** max-mru=1460 max-mtu=1460 use-ipsec=required

Have you checked logging?
And what is the problem?
Have you upgraded yet?

Yes, update to 6.47.9!!!

And why do you think I didn't that already??? You are not colaborating man!!!.

As I said at the beggining, I can't do the migration nor as I can't update the routeros version. I need to get this done.

Now, I'm looking for some info, based on the old 6.11 RouterOS version to setup an open vpn solution, but again, everything is old, updated and full of troubles. I don't know what to do right now, if keep on searching things based on an open vpn solution or what, because everything seems to be a problem with the 6.11 RouterOS version.

Hi erlinden!
This is the print result

/interface l2tp-server server>> print
enabled: yes
max-mtu: 1450
max-mru: 1450
mrru: disabled
authentication: pap,chap,mschap1,mschap2
keepalive-timeout: 30
default-profile: Sicfe

I can't do any updates on this mikrotik because my vendor sais that we had a lot of configurations that will get not working as there have been so many changes from 6.11 to 6.4X. So, If I do the update, there are a lot of things that could get wrong and will have to fix it in a production firewall...and that's not the ideal scenario I think.

The problem Is that when I try to connect into that Mikrotik using the vpn as I shown, the error message in Windows 10 said something like "Internal error trying to connect L2TP because the level of security found an error in the procces during inicial negotiations with the remote machine"...or something like that, as I have my Windows 10 in spanish, and my traduction could be as perfect as it should.

Get rid of the vendor, though they are correct any company not prioritizing security should be left behind.
In regards to the error, please have a look at my (working) configuration:

/ip ipsec profile
add dh-group=modp4096 enc-algorithm=aes-256,aes-128 hash-algorithm=sha512 name=\
    secure-profile
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
add auth-algorithms=sha512 enc-algorithms=aes-256-cbc name=secure-proposal pfs-group=\
    modp4096

Hi erlinden,

Here is what I have inside IPsec...can't find the "profile" you mention. In my first post are the rest of the captures of the configuration. As long as you have a newer version of the routeros, you see/have things that I don't, that's why I'm in this forum right now jeje.

I hope to get rid of this vendor this year after more than 15 years with them, but now, I've to reach a solution in this topic. I can make a vpn pptp, but I really don't want to get to that point.

Thanks for the help to get all this working as it should!

Captura07.JPG599×137 12.6 KB

I would, assuming this is a temporary situation, use this in combination with address list filter (allowing only listed IP addresses).
Are you sure the router isn’t compromised? How are you doing remote (or do you have access?) management (hope you do not allow any management from the Internet interface)?
Who will be the VPN consumer(s)?

Yes, as you said, this is just temporal. I need to solve some things to get people working and then, find some time to jump into a brand new rb1100 that I have in the office and set it up from scratch. Imagine this situation...we have two mikrotik, one in the headquarters and the other one in a DataCenter, both have a 6.1 routeros version and in both cases, we have almost 200 filter and 200 nat rules and we use like, 35%, 40% of them, the other 65%, 60% are disabled AND, an importante percentage of that 35%, 40% are things that we don't use anymore. So, as I managed to get rid of this vendor during this year, I've had some talks with directors of the company and they said there was allright to start a configuration from zero in both locations, that's why I have 2 brand new mikrotiks pending to be configured, but, right now, I don't have the time to do it (and of course I won't do an export/import migration).
So, that's more or less the scenario.

I connect vía vpn pptp to my computer in the headquarters, then, using winbox, in my lan, I connect to the router of the headquarters, and, as there's an ipsec between both mikrotik, I can connect to the other mikrotik.

I have done some rules that blocks unwanted traffic. As my country is quite small, I could manage to add some address list and accept traffic only of the ip's I wanted (and some other stuffs).

The new vpn is going to be to a company that will work with us. They need to connect to a virtual server that's from us, in the DataCenter I was talking about earlier. So, as I don't want to give them another pptp vpn, I want to implement something with l2tp over ipsec or an OpenVPN solution.
Today I started the day searching for a tutorial or something to impement an OVPN solution, but again, steps, boxes, tabs, and thing that I don't have in my routeros version, so, it's the same thing with whatever secure vpn I try to configure...routeros version problem. I'm so outdated with this version that is so so so frustrating.

What’s new in 6.13 (2014-May-15 16:03):
*) l2tp - fixed occasional server lockup;
*) pptp - fixed memory leak;

What’s new in 6.16 (2014-Jul-17 13:12):
*) l2tp, pptp, pppoe - fixed possible packet corruption when encryption was enabled;

What’s new in 6.25 (2015-Jan-19 10:11):
*) ntp - fixed vulnerabilities;

What’s new in 6.27 (2015-Feb-11 13:24):
*) ipsec - fixed crash that happened in specific situation;

What’s new in 6.29 (2015-May-27 11:19):
*) sstp - fixed router lockup.
*) fixed FREAK vulnerability in SSL & TLS;

What’s new in 6.32 (2015-Aug-31 14:47):
*) ipsec - fix potential memory leak;

What’s new in 6.32.2 (2015-Sep-17 15:20):
*) upnp - randomize action urls to fix “filet-o-firewall” vulnerability;
*) ipsec - fixed kernel failure when packets were not ordered on first call;

What’s new in 6.33 (2015-Nov-06 12:49):
*) ppp, pptp, l2tp, pppoe - fix ppp compression related crashes;

What’s new in 6.35 (2016-Apr-14 12:55):
*) ipsec - fixed crash on policy update;

What’s new in 6.35.4 (2016-Jun-09 12:02):
*) ipsec - fixed route cache overflow when using ipsec with route cache disabled;

What’s new in 6.36 (2016-Jul-20 14:09):
*) ipsec - fixed route cache overflow when using ipsec with route cache disabled;

What’s new in 6.37 (2016-Sep-23 08:20):
*) ipsec - fixed crash with enabled fragmentation;
*) ipsec - fixed kernel crash when sha512 was used;

What’s new in 6.38.5 (2017-Mar-09 11:32):
!) www - fixed http server vulnerability;

What’s new in 6.41.3 (2018-Mar-08 11:55):
!) smb - fixed buffer overflow vulnerability, everyone using this feature is urged to upgrade;

What’s new in 6.42.1 (2018-Apr-23 10:46):
!) winbox - fixed vulnerability that allowed to gain access to an unsecured router;

What’s new in 6.42.7 (2018-Aug-17 09:48):
!) security - fixed vulnerabilities CVE-2018-1156, CVE-2018-1157, CVE-2018-1158, CVE-2018-1159;

What’s new in 6.43.12 (2019-Feb-08 11:46):
!) winbox - improvements in connection handling to router with open winbox service (CVE-2019–3924);

What’s new in 6.45.1 (2019-Jun-27 10:23):
!) security - fixed vulnerabilities CVE-2019-13954, CVE-2019-13955;
!) security - fixed vulnerabilities CVE-2019-11477, CVE-2019-11478, CVE-2019-11479;
!) security - fixed vulnerability CVE-2019-13074;
!) user - removed insecure password storage;
*) conntrack - fixed GRE protocol packet connection-state matching (CVE-2014-8160);
*) ovpn - added “verify-server-certificate” parameter for OVPN client (CVE-2018-10066);
*) www - improved client-initiated renegotiation within the SSL and TLS protocols (CVE-2011-1473);

What’s new in 6.45.5 (2019-Aug-26 10:56):
*) smb - improved stability on x86 and CHR (CVE-2019-16160);
*) system - accept only valid string for “name” parameter in “disk” menu (CVE-2019-15055);

What’s new in 6.45.7 (2019-Oct-24 08:44):
!) package - accept only packages with original filenames (CVE-2019-3976);
!) package - improved package signature verification (CVE-2019-3977);
!) security - fixed improper handling of DNS responses (CVE-2019-3978, CVE-2019-3979);

What’s new in 6.47.4 (2020-Sep-16 11:32):
*) smb - fixed possible memory leak (CVE-2020-11881);

Oh! Great job on copying and pasting all the changelogs related with l2tp, ppt2, etc etc!! It really helps me a lot man. Now, with all that useless info, maybe the connection could be stablished.

My god…

Just so you know, there is an option that is fairly safe. You can repartition your router so that it has two partitions instead of one. Then you can copy your first partition (which copies the current config + 6.11 routeros version) to the second, boot to the second partition, and try upgrading that. If something breaks, you can simply boot back to the first partition and you’ll be back to the way it was.

If you do decide to take that avenue, I wouldn’t recommend upgrading immediately to the latest. I would move up more gradually.

This help you to “align” default parameters to what is set on 6.47.9
After that try to config again, probably this help…

/ppp profile
set *0 address-list=""
set *0 !bridge
set *0 !bridge-horizon
set *0 !bridge-path-cost
set *0 !bridge-port-priority
set *0 change-tcp-mss=yes
set *0 !dns-server
set *0 !idle-timeout
set *0 !incoming-filter
set *0 !insert-queue-before
set *0 !interface-list
set *0 !local-address
set *0 name=default
set *0 on-down=""
set *0 on-up=""
set *0 only-one=default
set *0 !outgoing-filter
set *0 !parent-queue
set *0 !queue-type
set *0 !rate-limit
set *0 !remote-address
set *0 !session-timeout
set *0 use-compression=default
set *0 use-encryption=default
set *0 use-ipv6=yes
set *0 use-mpls=default
set *0 use-upnp=default
set *0 !wins-server
set *FFFFFFFE address-list=""
set *FFFFFFFE !bridge
set *FFFFFFFE !bridge-horizon
set *FFFFFFFE !bridge-path-cost
set *FFFFFFFE !bridge-port-priority
set *FFFFFFFE change-tcp-mss=yes
set *FFFFFFFE !dns-server
set *FFFFFFFE !idle-timeout
set *FFFFFFFE !incoming-filter
set *FFFFFFFE !insert-queue-before
set *FFFFFFFE !interface-list
set *FFFFFFFE !local-address
set *FFFFFFFE name=default-encryption
set *FFFFFFFE on-down=""
set *FFFFFFFE on-up=""
set *FFFFFFFE only-one=default
set *FFFFFFFE !outgoing-filter
set *FFFFFFFE !parent-queue
set *FFFFFFFE !queue-type
set *FFFFFFFE !rate-limit
set *FFFFFFFE !remote-address
set *FFFFFFFE !session-timeout
set *FFFFFFFE use-compression=default
set *FFFFFFFE use-encryption=yes
set *FFFFFFFE use-ipv6=yes
set *FFFFFFFE use-mpls=default
set *FFFFFFFE use-upnp=default
set *FFFFFFFE !wins-server
/interface l2tp-server server
set allow-fast-path=no
set authentication=pap,chap,mschap1,mschap2
set caller-id-type=ip-address
set default-profile=default-encryption
set enabled=no
set ipsec-secret=""
set keepalive-timeout=30
set max-mru=1450
set max-mtu=1450
set max-sessions=unlimited
set mrru=disabled
set one-session-per-host=no
set use-ipsec=no
/ip ipsec mode-config
set [ find default=yes ] name=request-only
set [ find default=yes ] responder=no
set [ find default=yes ] use-responder-dns=exclusively
/ip ipsec policy group
set [ find default=yes ] name=default
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048,modp1024
set [ find default=yes ] dpd-interval=2m
set [ find default=yes ] dpd-maximum-failures=5
set [ find default=yes ] enc-algorithm=aes-128,3des
set [ find default=yes ] hash-algorithm=sha1
set [ find default=yes ] lifetime=1d
set [ find default=yes ] name=default
set [ find default=yes ] nat-traversal=yes
set [ find default=yes ] proposal-check=obey
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1
set [ find default=yes ] disabled=no
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc
set [ find default=yes ] lifetime=30m
set [ find default=yes ] name=default
set [ find default=yes ] pfs-group=modp1024
/ip ipsec policy
set 0 disabled=no
set 0 dst-address=0.0.0.0/0
set 0 group=default
set 0 proposal=default
set 0 protocol=all
set 0 src-address=0.0.0.0/0
set 0 template=yes
/ip ipsec settings
set accounting=yes
set interim-update=0s
set xauth-use-radius=no

Is this setting up all for default? I'm not a master in routeros, but it seems that I could loose lots of connections created...

Finally, I’ve decided to set up a pptp vpn and that’s it. As I olso give Open VPN a try without success, I gave up trying to set up something a little bit secure with the version of routeros that we are running at the moment. I’ve set up a pptp and well, to have something and avoid redirecting the 3389 through internet.

Next week or the next one to that, I’ll start to configure the new routers and the first thing I’ll do, is updating them both routeros and firmware versions!

Do you have any guide/suggestions or something with some basic “must have” rules? I have quite a few already, but, you never know, you aren’t always safe on the internet.

Thanks to all!

There has been so many big security upgrade since 6.11 (released 2014-06-09!!!), so if its connected to internet in some form, it should be upgraded. If it’s on a closed network without internet involved, then this may work.


PPTP VPN has no security at all, everything goes in clear text

I know, I know, I know, but if you read the entire post, you’ll realize why there has been no updates since years and years.

I hope this month could be THE month of the finally and desire update!

My approach would have been to install the new 1100 next to the old one and connect one of the new one’s ports to the old one’s LAN, port-forward UDP port 4500 from the old one’s WAN to new one’s IP address on the LAN, and set up the L2TP/IPsec server on the new one. And later copy the firewall configuration from the old one to the new one, and then move the cable from old one’s WAN to new one’s WAN.